<div dir="ltr">Hi,<div><br></div><div>Check your DPD settings, I have seen that incorrect setting on this cause multiple SAs to be created.</div><div><br></div><div>Thanks,</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 6, 2019 at 5:57 AM James Masson <<a href="mailto:james.masson@jmips.co.uk">james.masson@jmips.co.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hi list,</div><div><br></div><div>I've got a working configuration for a collection of servers using transport mode to encrypt only a subset of ports, using strongswan 5.7.2-1 .<br></div><div><br></div><div>However, it seems suboptimal, because the servers are generating and deleting new SAs every few seconds - I presume for every client port <> server port pair ? The traffic on these ports is UDP, so there would be massive overhead in doing this.<br></div><div><br></div><div>Logs/config/SAs - <a href="https://gist.github.com/james-masson/347bcdab80c93c83dfc68f111a5cb472" target="_blank">https://gist.github.com/james-masson/347bcdab80c93c83dfc68f111a5cb472</a></div><div><br></div><div>Can anybody point out a flaw in or improvements to my config?</div><div><br></div><div>To be clear, I'm after a config that does crypto negotiation once per IP pair, but only encrypts traffic to/from a particular set of ports.</div><div><br></div><div>thanks</div><div><br></div><div>James M<br></div><div><br></div></div></div></div></div></div>
</blockquote></div>